class sysinit::selinux {
  
  $selinux_enable = $sysinit::selinux_enable
  
  case $selinux_enable {
    true: {
      $selinux_ensure = enforcing
      exec { '/usr/sbin/setenforce 1':
        unless => '/usr/sbin/sestatus | /bin/grep -q enforcing'
      }
    }
    false: {
      $selinux_ensure = disabled
      exec { '/usr/sbin/setenforce 0':
        onlyif => '/usr/sbin/sestatus | /bin/grep -q enforcing'
      }
    }
    default: {
      fail("\${selinux_enable} only support 'true' or 'false'")
    }
  }
  
  ini_setting {'selinux':
    ensure            => present,
    section           => '',
    key_val_separator => '=',
    path              => '/etc/sysconfig/selinux',
    setting           => 'SELINUX',
    value             => $selinux_ensure,
  }
  
}